Collecting Container Assets

Scenarios

HSS can collect information about container assets, including clusters, nodes, containers, images, and container fingerprints. With the container asset function, you can centrally count container assets and detect unsafe assets in a timely manner. This section describes the container asset collection items and how they are collected.

Prerequisite

Container assets have been connected to HSS. For details, see Connecting to a Third-party Image Repository, Accessing CI/CD, and Installing an Agent in a Cluster.

Constraints

The container fingerprint function is supported only by the HSS enterprise edition. For details about how to purchase HSS, see Purchasing an HSS Quota.

Container Asset Collection Items

The container asset function can collect information about container assets, including clusters, nodes, containers, images, and container fingerprints. Container fingerprints are classified into multiple subtypes, including accounts, open ports, processes, software, auto-started items, web applications, web services, web frameworks, websites, middleware, and databases. For details about assets, see Table 1.

**Table 1** Container asset collection items
Item	Description
Clusters	You can check statistics and details about clusters, workloads, services, and pods.
Nodes	You can check details about cluster nodes and independent nodes.
Containers	You can check details about container instances.
Images	You can check information about local images, repository images, and CI/CD images.
Accounts	Check and manage all accounts on your containers to keep them secure. Real-time account information includes the account name, number of servers, server name, IP address, login permission, root permission, user group, user directory, shell started by the user, container name, container ID, the last scan time, and the first scan time.
Open ports	Check open ports on your containers, including risky and unknown ports. You can easily find high-risk ports on containers by checking local ports, protocol types, server names, IP addresses, statuses, PIDs, and program files. Manually disabling high-risk ports If dangerous or unnecessary ports are found enabled, check whether they are mandatory for services, and disable them if they are not. For dangerous ports, you are advised to further check their program files, and delete or isolate their source files if necessary. It is recommended that you handle the ports with the Dangerous risk level promptly and handle the ports with the Unknown risk level based on the actual service conditions. Ignore risks: If a detected high-risk port is actually a normal port used for services, you can ignore it. The port will no longer be regarded risky or generate alarms.
Processes	Check processes on your containers and find abnormal processes. You can easily identify abnormal processes on your containers based process paths, server names, IP addresses, startup parameters, startup time, users who run the processes, file permissions, PIDs, and file hashes. If a suspicious process has not been detected in the last 30 days, its information will be automatically deleted from the process list.
Installed software	Check and manage all software installed on your containers, and identify insecure versions. You can check real-time and historical software information to determine whether the software is risky. Real-time software information includes the software name, number of servers, server names, IP addresses, software versions, software update time, the last scan time, and the first scan time. Historical software change records include the server names, IP addresses, change statuses, software versions, software update time, and the last scan time.
Auto-started items	Check for auto-started items and quickly locate Trojans. Real-time information about auto-started items includes their names, types (auto-started service, startup folder, pre-loaded dynamic library, Run registry key, or scheduled task), number of servers, server names, IP addresses, paths, file hashes, users, container name, container ID, and the last scan time.
Websites	Check information about web directories and sites that can be accessed from the Internet. You can view the directories and permissions, access paths, external ports, certificate information (to be provided later), and key processes of websites. The following websites support data collection: Apache, Nginx, and Tomcat.
Web frameworks	Check statistics about frameworks used for web content display, including their versions, paths, and associated processes. The following types of web frameworks support data collection: Java language framework: Struts, struts2, spring, hibernate, webwork, quartz, velocity, turbine, FreeMarker, flexive, stripes, vaadin, vertx, wicket, zkoss, jackson, fastjson, shiro, MyBatis, Jersey and JFinal. Python framework: Django, Flask, Tornado, web.py, and web2py. PHP language framework: Webasyst, KYPHP, CodeIgniter, InitPHP, SpeedPHP, ThinkPHP, and OneThink Go framework: Gin, Beego, Fasthttp, Iris, and Echo.
Middleware	Check information about servers, versions, paths, and processes associated with middleware.
Web services	Check details about the software used for web content access, including versions, paths, configuration files, and associated processes of all software. Data can be collected from the following web services: Apache, Nginx, Tomcat, WebLogic, WebSphere, JBoss, Wildfly, and Jetty.
Web applications	Check details about software used for web content push and release, including versions, paths, configuration files, and associated processes of all software. Data of the following web applications can be collected: PHPMailer, PHPMyadmin, DedeCMS, WordPress, ThinkPHP, BigTree, JPress, Jenkins, Zabbix, Discuz!, and ThinkCMF.
Databases	Check details about the software that provides data storage, including versions, paths, configuration files, and associated processes of all software. Data can be collected from the following types of databases: MySQL, Redis, Oracle, MongoDB, Memcache, PostgreSQL, HBase, DB2, Sybase, Dameng database management system, and KingbaseES database management system.

Container Asset Collection Methods

Container asset information can be collected automatically or manually. For details about how each type of fingerprints is collected, see Table 2.

After the agent is installed on a cluster node or independent node, information about server assets will be collected for the first time immediately. By default, the automatic collection period starts from the time when the agent installation succeeded.

Collection intervals can be customized for middleware, web frameworks, kernel modules, web applications, websites, web services, and databases. For details, see Asset Discovery.

**Table 2** Container asset collection methods
Item	Automatic Collection Frequency	Manual Collection Method
Clusters	Automatic check every 24 hours	Manually Collecting Cluster, Service, Workload, and Container Information
Nodes	Cluster nodes: automatic check every 24 hours Independent nodes: Data is automatically collected after the agent is installed.	None
Containers	Automatic check every 24 hours	Manually Collecting Cluster, Service, Workload, and Container Information
Images	Local images: Images on cluster nodes: automatic check every 24 hours Images on independent nodes: Data is automatically collected after the agent is installed. Repository image: None. Manual collection required. CI/CD image: Data is automatically collected during CI/CD project building.	Local image and CI/CD image: Data cannot be collected manually. For details about how to manually collect repository images, see Synchronizing Repository Images.
Accounts	Automatic check every hour	Manually Collecting the Latest Asset Fingerprints of All Containers
Open ports	Automatic check every 30 seconds	Manually Collecting the Latest Asset Fingerprints of All Containers
Processes	Automatic check every hour	Manually Collecting the Latest Asset Fingerprints of All Containers
Installed software	Automatic check every day	Manually Collecting the Latest Asset Fingerprints of All Containers
Auto-started items	Automatic check every hour	Manually Collecting the Latest Asset Fingerprints of All Containers
Websites	Once a week (04:10 a.m. every Monday)	Manually Collecting the Latest Asset Fingerprints of a Single Container Manually Collecting the Latest Asset Fingerprints of All Containers
Web frameworks	Once a week (04:10 a.m. every Monday)	Manually Collecting the Latest Asset Fingerprints of a Single Container Manually Collecting the Latest Asset Fingerprints of All Containers
Middleware	Once a week (04:10 a.m. every Monday)	Manually Collecting the Latest Asset Fingerprints of a Single Container Manually Collecting the Latest Asset Fingerprints of All Containers
Web services	Once a week (04:10 a.m. every Monday)	Manually Collecting the Latest Asset Fingerprints of a Single Container Manually Collecting the Latest Asset Fingerprints of All Containers
Web applications	Once a week (04:10 a.m. every Monday)	Manually Collecting the Latest Asset Fingerprints of a Single Container Manually Collecting the Latest Asset Fingerprints of All Containers
Databases	Once a week (04:10 a.m. every Monday)	Manually Collecting the Latest Asset Fingerprints of a Single Container Manually Collecting the Latest Asset Fingerprints of All Containers

Manually Collecting the Latest Asset Fingerprints of a Single Container

To view the latest data of web applications, web services, web frameworks, websites, middleware, and databases in real time, you can manually collect their fingerprints.

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
(Optional) If you have enabled the enterprise project function, select an enterprise project from the Enterprise Project drop-down list in the upper part of the page to view its data.
Click the name of the target server. On the server details page that is displayed, choose Asset Fingerprints > Containers.
Click a fingerprint in the fingerprint list, and click Discover Assets on the upper area of the list on the right.

Currently, only Web Applications, Web Services, Web Frameworks, Websites, Middleware, and Databases support real-time manual collection and update. Information about other types is automatically collected and updated every day.

Figure 1 Collecting data now
After the automatic execution is complete, the last scan time is updated and the latest container asset information is displayed.

Manually Collecting the Latest Asset Fingerprints of All Containers

To view the latest data of accounts, open ports, processes, software, auto-started items, websites, web frameworks, middleware, web services, web applications, and databases in real time, you can manually collect their fingerprints.

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
Choose Asset Management > Container Assets.

In the upper right corner of the page, click Update Asset Fingerprints.
Select the server update scope and click OK.

Figure 2 Updating asset fingerprints
After the Updating Asset Fingerprints status disappears from the button in the upper right corner of the page, you can view the latest asset fingerprints.

Manually Collecting Cluster, Service, Workload, and Container Information

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
In the navigation pane, choose Asset Management > Container Assets.

Alternatively, you can choose Installation & Configuration > Container Install & Config, click the Cluster tab, and click Synchronize the Latest Assets.
Click the Cluster tab and click Synchronize Clusters in the upper right corner.
Wait for about 5 minutes, refresh the cluster page, and view the latest assets after synchronization.